平台
php
修复版本
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in code-projects Real Estate Property Management System, affecting versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts by manipulating the CategoryId parameter within the /Admin/EditCategory file. A fix is available in version 1.0.1, addressing this security concern.
Successful exploitation of CVE-2025-1195 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Real Estate Property Management System. This can lead to session hijacking, credential theft, defacement of the application, or redirection to malicious websites. The remote nature of the vulnerability means an attacker doesn't need local access to exploit it. The impact is amplified if the administrator account is compromised, potentially granting control over the entire system and sensitive property data.
CVE-2025-1195 has been publicly disclosed. A proof-of-concept exploit is likely to emerge given the vulnerability's nature and public disclosure. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the ease of exploitation could increase this risk. The vulnerability was published on 2025-02-12.
Organizations utilizing the Real Estate Property Management System, particularly those with publicly accessible administrative interfaces, are at risk. Shared hosting environments where multiple users share the same server instance are also at increased risk, as a compromised user could potentially exploit this vulnerability to affect other users on the same server.
• generic web: Use curl to test the /Admin/EditCategory endpoint with various malicious payloads in the CategoryId parameter. Monitor access logs for suspicious requests containing JavaScript code.
curl 'http://your-real-estate-system.com/Admin/EditCategory?CategoryId=<script>alert("XSS")</script>'• php: Examine the source code of /Admin/EditCategory for inadequate input validation or output encoding of the CategoryId parameter. Search for functions like htmlspecialchars or strip_tags that are not being used correctly.
• wordpress / composer / npm: N/A - This is a PHP application, not a WordPress plugin or Node.js project.
• database (mysql, redis, mongodb, postgresql): N/A - This vulnerability does not directly involve a database.
• linux / server: N/A - This vulnerability does not directly involve a server or Linux system.
• windows / supply-chain: N/A - This vulnerability does not directly involve a Windows system or supply chain.
disclosure
漏洞利用状态
EPSS
0.27% (50% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-1195 is to immediately upgrade the Real Estate Property Management System to version 1.0.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the CategoryId parameter in /Admin/EditCategory to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update security policies to prevent similar vulnerabilities.
Actualizar a una versión parcheada del sistema de gestión de propiedades. Si no hay una versión parcheada disponible, sanitizar las entradas del parámetro CategoryId en el archivo /Admin/EditCategory para evitar la ejecución de código XSS.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-1195 is a cross-site scripting (XSS) vulnerability affecting versions 1.0–1.0 of the Real Estate Property Management System, allowing attackers to inject malicious scripts via the CategoryId parameter.
You are affected if you are using Real Estate Property Management System version 1.0–1.0 and have not upgraded to version 1.0.1 or later.
Upgrade to version 1.0.1 or later. As a temporary workaround, implement input validation and output encoding on the CategoryId parameter.
While exploitation is not confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation. Monitor your systems closely.
Refer to the code-projects website or relevant security mailing lists for the official advisory regarding CVE-2025-1195.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。